[Dshield] PDF Spam Wave

Domains can be blacklisted. Many of the malware and anti-phishing
blacklists are URLs and FQDNs, not IP addresses.
> -----Original Message-----
> From: list-bounces at lists.dshield.org> [mailto:list-bounces at lists.dshield.org] On Behalf Of Freddie Sorensen
> Sent: Friday, August 10, 2007 7:20 AM
> To: list at lists.dshield.org> Subject: Re: [Dshield] PDF Spam Wave
>> Domains are not blacklisted - IP addresses are blacklisted
>>>> -------- Original Nachricht --------
> Von: Chuck Rothauser [mailto:chuckr at keywestkeys.com]
> Gesendet: 10.08.2007 14:52:20
> An: "General DShield Discussion List" <list at lists.dshield.org>;
> Betreff: Re: [Dshield] PDF Spam Wave
>>> Still worse,
> Spammers find smtp mailrelays and use legitimate
> domains which then causes
> the legitimate domain to be black listed........no fun
> trying to get your
> domain "unlisted"......
> ---> Chuck
> ----- Original Message -----
> From: "Cefiar"
> To:
> Sent: Friday, August 10, 2007 2:16 AM
> Subject: Re: [Dshield] PDF Spam Wave
> > On Tuesday 07 August 2007 19:55:35 jayjwa wrote:
> >> *this* PDF spam:
> >>
> >> 1. Spammer connects to large.email.provider (no
> http-to-smtp header),
> >> submits email w/PDF attachment spoofed as
> >> (random-made-up-user)@certain.domain
> >>
> >> 2. Spammer sends email to non-existing user,
> >> (random)@(random-but-real-domain). So now we have
> fake mail going to
> >> non-existing user.
> >>
> >> 3. All of the (random-but-real-domain)s now receive
> mail to the correct
> >> domain, but to a user that _does not exist_ or
> cannot receive mail for
> >> some
> >> other reason.
> >>
> >> 4. They reject this. How is this *not* correct behavior?
> >>
> >> 5. Now certain.domain gets this "bounce". Only it's
> not a real bounce
> >> because certain.domain _never sent anything or
> handled any mail_.
> >>
> >> 6. "Bounce" (remember, certain.domain did not send
> anything to begin
> >> with)
> >> is labeled to (random)@certain.domain. Obviously,
> (random) does not
> >> exist.
> >> What to do with mail to a user that does not exist?
> Do you see the cycle
> >> here?
> >
> > ...And unfortunately I've seen this for well over 7
> years, and in many
> > cases
> > my own personal and work addresses have been the destinations.
> Then it
> > migrated well over 5 years ago to a combination of
> random addresses,
> > addresses pulled from address books and off mailing
> lists, and corrupted
> > versions of the same. Ever seen mail aimed at a user
> called "rdomo"?
> > Welcome
> > to a corrupted "majordomo" email address. I've even
> got email directed at
> > "r"
> > and "o" on the same machine.
> >
> >> To make matters worse, multiply the above by the
> 10,000 or so messages
> >> the
> >> spam run seemed to generate, and also the fact that
> some mailservers kept
> >> trying to re-deliver even after the transaction was 550'ed.
> The
> >> "certain.domain" happened to be one of my intranet
> hosts. The only
> >> sensible
> >> thing I could come up with that ended mail to no one
> looping around in
> >> circles was eating these fake bounces at the door,
> which it showed
> >> towards
> >> the bottom of my original post.
> >
> > In many of the above cases (eg: "rdomo"), I simply
> created an alias and
> > fed
> > the mail directly into things like spamassassin's
> learning mode,
> > especially
> > when I was "sure" the address was bogus.
> >
> >> Moreover, this spam operated more like an email
> virus, in that I don't
> >> think it would be wise to bounce them, but rather sink them.
> The only
> >> place
> >> all these spam could end would be in the mailbox of
> a postmaster, which
> >> seemed to me a pretty worthless spam run (as no
> end-users ever got any
> >> messages). Why someone would initiate such a spam
> run was one of the
> >> things
> >> I was hoping to find out. If it was Joe-Job, as
> someone suggested, then
> >> no,
> >> I have not seen alot directed at me (especially to a
> low-activity,
> >> intranet
> >> server) as I do not run a commercial, educational
> institute or ISP
> >> mailserver.
> >
> > As mentioned above, I have seen this sort problem for the last
> 7 or so
> > years,
> > on various addresses (from commercial, educational, ISP and
> > non-commercial)
> > over that time. Spammers and virus writers are
> feeding off each others
> > technical know-how, and abusing the system in any way
> they can get away
> > with.
> >
> >> ------------Reply to second post, tonni at hetnet.nl:
> >>
> >> ->I have a perfect pdf spam solution, I refuse all
> mail that isn't for my
> >> -> users, my 1550+ user site currently refuses far
> more mail than it is
> >> -> offered,
> >>
> >> In this case (#2), your perfect pdf spam solution
> would have contributed
> >> to
> >> the storm of bounces already in session...
> >
> > It might, but the problem here is not that it's being
> rejected inline -
> > it's
> > that large.email.provider is not adequately filtering
> mail, no matter what
> > the source. They're the source of the problem (they
> accept the mail in the
> > first place), and they're the ones that should be the
> source of your ire.
> >
> > Personally, I put everything through a spam filter.
> Whether the user is
> > authenticated or not, whether they're from a trusted
> IP space or not, and
> > even if it's from a local process on the machine
> running the mail server.
> > I
> > also enforce things like not allowing banned files no
> matter how they're
> > injected into the system for the same reason. When it
> comes to things like
> > this, I trust no one. It also makes things a lot
> easier by reducing the
> > complexity of a setup, and therefore the number of
> different paths that
> > need
> > to be tested when things change to ensure correct operation.
> >
> > --
> > Stuart Young - aka Cefiar - cef at optus.net> > _________________________________________
> > SANSFIRE 2007 July 25-August 2 in Washington, DC. 56
> courses, SANS top
> > instructors, and a great tools and solutions expo.
> Register today!
> > http://www.sans.org/info/4651 (brochure code ISC)
> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC. 56
> courses, SANS top
> instructors, and a great tools and solutions expo.
> Register today!
>http://www.sans.org/info/4651 (brochure code ISC)
>> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC. 56
> courses, SANS top instructors, and a great tools and
> solutions expo. Register today!
>http://www.sans.org/info/4651 (brochure code ISC)
>